Hitman

Flatpak is unfortunately the only possible option for running Enpass on Steam Deck. The portable version of Enpass is heavily outdated (2021) and the other options require system wide installs that are ugly to keep working on an immutable system.

What would be the advantage over just using Enpass' built in WebDAV, DropBox etc. sync?

Maybe even better: introduce a specific kind of entry that is recognized as a vault (containing password, webdav/dropbox/etc. settings) and can be mounted/restored with one click. It should not be attached/restored automatically, though. But it would be nice if you can easily pick an already saved vault "reference" entry and just say "restore". (Or the other way around: when selecting to add an existing vault, allow picking an entry from one of the already opened vaults that is then used to fill in the to be restored vaults.)

I think you can counter that by using WebDAV for sync. There you can track from where the access comes when syncing. Also you can change the WebDAV credentials when a device is stolen. When a device is stolen with a vault on it (which is always available offline), you have to consider the content compromised (unless you really trust your master password and didn't store it using fingerprints). So if you change all your passwords and the one of your vault, the old information on the stolen device is useless. Triggering a remote wipe (via iOS or Android) is probably a better choice, though.

Wow that is creepy. That implies that they store the plaintext password somewhere. Urgh.

Interesting point. Is there some way to see and vote feature requests? (like aha.io or within this forum?)

You can at least configure Enpass to immediately copy the TOTP code to the clipboard after auto filling the rest. So you could hit auto fill and then right away paste your clipboard content before hitting enter.

Since you seem to be technically versed, you can already do what you want, since Enpass uses the opensource library sqlcipher for storage. See also:

With WebDAV it's still doable. Just add the same account with different directories. As long as you don't have to rotate your WebDAV credentials (too often), it should not be that much of a problem.

Erm, having multiple users using the same user account seems to be the real security issue here. That's not how a multi user system is supposed to work.

What do you mean? With WebDAV it works fine. I have multiple vaults, all synchronized via WebDAV.

Bump. Any news if this is gonna be implemented or not? Anything I can do to help or to convince you that it's worth it?

No, it can't. 2FA relies on the server side being in control and unmodifyable. Since Enpass works offline, all the necessary data and checks are on your machine. So an attacker can manipulate everything to his liking (system clock, etc.). Whatever second factor you choose, its secrets would have to be stored on your machine (as part of your vault) and would be protected with your password. Once this has been logged and the attacker has access to your files (which in your scenario he has), he can unlock the secrets and simply calculate the second factor. You gain no real security; you simply cost your attacker 5 more minutes of his time.

It already does support generating TOTP tokens ... which is what Google Authenticator uses.

With $30 you already have the license for all platforms. 10 for iOS, 10 for Android and 10 for Windows. Since they are lifetime and not restricted to the amount of devices (afaik), what more do you want?